Thank you for this idea. The connection is now successful:
http://pastebin.com/idLxrzRA <http://pastebin.com/idLxrzRA> But the application on :41952 is blocking the request. Let me clarify: The only URL what is working is: https://localhost:41952/DYMO/DLS/Printing/Check <https://localhost:41952/DYMO/DLS/Printing/Check> https://www.dropbox.com/s/syw5clruyjildyf/Screenshot%202015-10-10%2019.18.23.png?dl=0 <https://www.dropbox.com/s/syw5clruyjildyf/Screenshot%202015-10-10%2019.18.23.png?dl=0> Non working URL's: https://127.0.0.1:41952/DYMO/DLS/Printing/Check https://www.dropbox.com/s/8fc2v1e3gr0ap2q/Screenshot%202015-10-10%2019.19.27.png?dl=0 <https://www.dropbox.com/s/8fc2v1e3gr0ap2q/Screenshot%202015-10-10%2019.19.27.png?dl=0> https://192.168.2.123:41952/DYMO/DLS/Printing/Check <https://192.168.2.123:41952/DYMO/DLS/Printing/Check> https://www.dropbox.com/s/yfkwx1s5acfek38/Screenshot%202015-10-10%2019.20.46.png?dl=0 <https://www.dropbox.com/s/yfkwx1s5acfek38/Screenshot%202015-10-10%2019.20.46.png?dl=0> From remote machine (trough stunnel) I get same error: https://www.dropbox.com/s/cm6l358k948hxhu/Screenshot%202015-10-10%2019.21.23.png?dl=0 <https://www.dropbox.com/s/cm6l358k948hxhu/Screenshot%202015-10-10%2019.21.23.png?dl=0> Interesting that 127.0.0.1, 192.168.2.123 are also pointing to the localhost and it's not working. I think the web service on :41952 checks the request header? Is there any way to fake this? Regards, Adrian > On 10. 10. 2015, at 19:06, Jose Alf. <[email protected]> wrote: > > Adrian, > > Sorry, I didn't read your original mail carefully. You want to write > https://192.168.1.10:1988 <https://192.168.1.10:1988/> > <https://192.168.1.10:1988/> > and reach your SSL or TLS service that listens on port 4952 of loopback > interface on host with IP 192.168.1.10. > > You need to 2 stunnel stanzas to achive what you want. Something like: > > > [myservice] > cert = stunnel.pem > client = no > accept = 0.0.0.0:1988 <http://0.0.0.0:1988/> > connect = localhost:1987 > > > [myserviceaux] > cert = stunnel.pem > client = yes > accept = localhost:1987 <http://0.0.0.0:1988/> > connect = localhost:4952 > > > If you find this too convoluted, you could try with other reverse proxy > software like apache or squid. > > With your original config, you should be able to connect using http instead > of https, as stunnel is expecting clearr text traffic. > > > Please try and let us know how it goes. > > On Saturday, October 10, 2015 9:58 AM, Josealf.rm <[email protected]> > wrote: > > > Some clarifications > > 1. Most likely stunnel and your service can't negotiate a protocol. Thus the > connection fails. The service could be using SSL3 that is now obsolete. You > may need to downgrade from TLS to SSL3 in stunnel. > 2. You can do a direct test with curl against you service (local) or openssl > s_client. > > Regards > Jose > > El 9 oct 2015, a las 5:44, Adrián Mihálko <[email protected] > <mailto:[email protected]>> escribió: > >> Some good news, I remove client = yes as you suggested: >> >> 2015.10.09 12:39:29 LOG5[main]: Configuration successful >> 2015.10.09 12:39:29 LOG5[main]: Logging to >> C:\Users\adrianmihalko\AppData\Local\stunnel.log >> 2015.10.09 12:39:34 LOG6[57]: SSL socket closed (SSL_read) >> 2015.10.09 12:39:34 LOG5[57]: Connection closed: 0 byte(s) sent to SSL, 445 >> byte(s) sent to socket >> 2015.10.09 12:39:34 LOG5[60]: Service [myservice] accepted connection from >> 192.168.1.25:49671 <http://192.168.1.25:49671/> >> 2015.10.09 12:39:34 LOG6[60]: SSL accepted: new session negotiated >> 2015.10.09 12:39:34 LOG6[60]: No peer certificate received >> 2015.10.09 12:39:34 LOG6[60]: Negotiated TLSv1.2 ciphersuite >> ECDHE-RSA-AES128-GCM-SHA256 (128-bit encryption) >> 2015.10.09 12:39:34 LOG6[60]: failover: round-robin, starting at entry #0 >> 2015.10.09 12:39:34 LOG6[60]: s_connect: connecting ::1:41952 >> 2015.10.09 12:39:34 LOG5[60]: s_connect: connected ::1:41952 >> 2015.10.09 12:39:34 LOG6[60]: persistence: ::1:41952 cached >> 2015.10.09 12:39:34 LOG5[60]: Service [myservice] connected remote server >> from ::1:50598 >> 2015.10.09 12:39:34 LOG6[60]: SSL socket closed (SSL_read) >> 2015.10.09 12:39:34 LOG5[60]: Connection closed: 0 byte(s) sent to SSL, 0 >> byte(s) sent to socket >> 2015.10.09 12:39:34 LOG5[61]: Service [myservice] accepted connection from >> 192.168.1.25:49672 <http://192.168.1.25:49672/> >> 2015.10.09 12:39:34 LOG6[61]: SSL accepted: new session negotiated >> 2015.10.09 12:39:34 LOG6[61]: No peer certificate received >> 2015.10.09 12:39:34 LOG6[61]: Negotiated TLSv1.2 ciphersuite >> ECDHE-RSA-AES128-GCM-SHA256 (128-bit encryption) >> 2015.10.09 12:39:34 LOG6[61]: failover: round-robin, starting at entry #1 >> 2015.10.09 12:39:34 LOG6[61]: s_connect: connecting 127.0.0.1:41952 >> <http://127.0.0.1:41952/> >> 2015.10.09 12:39:34 LOG5[61]: s_connect: connected 127.0.0.1:41952 >> <http://127.0.0.1:41952/> >> 2015.10.09 12:39:34 LOG6[61]: persistence: 127.0.0.1:41952 >> <http://127.0.0.1:41952/> cached >> 2015.10.09 12:39:34 LOG5[61]: Service [myservice] connected remote server >> from 127.0.0.1:50599 <http://127.0.0.1:50599/> >> >> openssl_client log: >> >> http://pastebin.com/7bg3sf7J <http://pastebin.com/7bg3sf7J> >> >> The problem is now that the site loads forever, nothing happens. >> >> (this certificate (:1988) is other than the original (:41952). This is not >> problem? >> >> curl test: >> >> $ curl https://192.168.1.17:1988/DYMO/DLS/Printing/Check >> <https://192.168.1.17:1988/DYMO/DLS/Printing/Check> -vk >> * Trying 192.168.1.17... >> * Connected to 192.168.1.17 (192.168.1.17) port 1988 (#0) >> * TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 >> * Server certificate: localhost >> > GET /DYMO/DLS/Printing/Check HTTP/1.1 >> > Host: 192.168.1.17:1988 <http://192.168.1.17:1988/> >> > User-Agent: curl/7.43.0 >> > Accept: */* >> > >> waiting forever. >> >> 2015-10-09 12:34 GMT+02:00 Adrián Mihálko <[email protected] >> <mailto:[email protected]>>: >> In the first mail I wrote ports bad, of course in the log I am using the >> good ones. >> >> [myservice] >> cert = stunnel.pem >> client = yes >> accept = 0.0.0.0:1988 <http://0.0.0.0:1988/> >> connect = localhost:41952 >> >> >> 2015-10-09 12:32 GMT+02:00 Adrián Mihálko <[email protected] >> <mailto:[email protected]>>: >> Sorry, curl was only for testing. >> >> Adrians-MacBook-Pro:~ adrianmihalko$ openssl s_client -connect >> 192.168.1.17:1988 <http://192.168.1.17:1988/> >> CONNECTED(00000003) >> 1130:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown >> protocol:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-59/src/ssl/s23_clnt.c:618: >> >> 2015.10.09 12:23:21 LOG5[main]: Reading configuration from file stunnel.conf >> 2015.10.09 12:23:21 LOG5[main]: UTF-8 byte order mark detected >> 2015.10.09 12:23:21 LOG5[main]: FIPS mode disabled >> 2015.10.09 12:23:21 LOG6[main]: Initializing service [gmail-pop3] >> 2015.10.09 12:23:21 LOG6[main]: Initializing service [gmail-imap] >> 2015.10.09 12:23:21 LOG6[main]: Initializing service [gmail-smtp] >> 2015.10.09 12:23:21 LOG6[main]: Initializing service [myservice] >> 2015.10.09 12:23:21 LOG6[main]: Loading certificate from file: stunnel.pem >> 2015.10.09 12:23:21 LOG6[main]: Loading key from file: stunnel.pem >> 2015.10.09 12:23:21 LOG4[main]: Service [myservice] needs authentication to >> prevent MITM attacks >> 2015.10.09 12:23:21 LOG5[main]: Configuration successful >> 2015.10.09 12:23:21 LOG5[main]: Logging to >> C:\Users\adrianmihalko\AppData\Local\stunnel.log >> 2015.10.09 12:23:42 LOG5[39]: Service [myservice] accepted connection from >> 192.168.1.25:49454 <http://192.168.1.25:49454/> >> 2015.10.09 12:23:42 LOG6[39]: failover: round-robin, starting at entry #0 >> 2015.10.09 12:23:42 LOG6[39]: s_connect: connecting ::1:41952 >> 2015.10.09 12:23:42 LOG5[39]: s_connect: connected ::1:41952 >> 2015.10.09 12:23:42 LOG5[39]: Service [myservice] connected remote server >> from ::1:50564 >> 2015.10.09 12:23:42 LOG6[39]: SNI: sending servername: localhost >> 2015.10.09 12:23:42 LOG6[39]: Certificate verification disabled >> 2015.10.09 12:23:42 LOG6[39]: Certificate verification disabled >> 2015.10.09 12:23:42 LOG6[39]: SSL connected: new session negotiated >> 2015.10.09 12:23:42 LOG6[39]: Negotiated TLSv1 ciphersuite AES128-SHA >> (128-bit encryption) >> 2015.10.09 12:23:42 LOG6[39]: SSL socket closed (SSL_read) >> 2015.10.09 12:23:42 LOG5[39]: Connection closed: 130 byte(s) sent to SSL, >> 505 byte(s) sent to socket >> >> If I am connecting to the :41952: >> >> openssl s_client -connect 192.168.1.17:41952 <http://192.168.1.17:41952/>... >> >> --- >> No client certificate CA names sent >> --- >> SSL handshake has read 1724 bytes and written 712 bytes >> --- >> New, TLSv1/SSLv3, Cipher is AES128-SHA >> Server public key is 4096 bit >> Secure Renegotiation IS supported >> Compression: NONE >> Expansion: NONE >> SSL-Session: >> Protocol : TLSv1 >> Cipher : AES128-SHA >> ... >> >> >> 2015-10-09 10:55 GMT+02:00 test rig <[email protected] >> <mailto:[email protected]>>: >> >> Ouch #2 missing... >> >> Hi Adrian, looks good to me so far - mostly. Try to replace the client=yes >> with a client=no on the server >> >> You are connection to :9999 with curl(?) >> Try verify it via "openssl s_client -connect yourserverip:1988" command >> >> Best Regards >> Michael >> >> --- Ursprüngliche Nachricht --- >> Von: "test rig" <[email protected] <mailto:[email protected]>> >> Datum: 09.10.2015 09:48:02 >> An: "[email protected] <mailto:[email protected]>." >> <[email protected] <mailto:[email protected]>> >> Betreff: Re: [stunnel-users] (no subject) >> >> Hi Adrian, looks good to me so far - mostly. Try to replace the client=yes >> with a client=no on the server >> --- Ursprüngliche Nachricht --- >> Von: Adrián Mihálko >> Datum: 09.10.2015 08:15:19 >> An: [email protected] <mailto:[email protected]> >> Betreff: [stunnel-users] (no subject) >> >> Dear stunnel users, >> >> I have a little service which listen only on https://localhost:4952 >> <https://localhost:4952/> and checks source hostname. I want to connect on >> "listen:1988" and redirect requests with stunnel to "localhost:4952" >> >> https://192.168.1.10:1988 <https://192.168.1.10:1988/> -> redirect >> https://localhost:4952 <https://localhost:4952/> >> >> >> I am trying to configure stunnel like this >> >> [myservice] >> cert = stunnel.pem >> client = yes >> accept = 0.0.0.0:1988 <http://0.0.0.0:1988/> >> connect = localhost:4952 >> >> remote machine$ curl https://192.168.1.25:9999/DYMO/DLS/Printing/Check >> <https://192.168.1.25:9999/DYMO/DLS/Printing/Check> -v >> * Trying 192.168.1.25... >> * Connected to 192.168.1.25 (192.168.1.25) port 9999 (#0) >> * WARNING: using IP address, SNI is being disabled by the OS. >> * Unknown SSL protocol error in connection to 192.168.1.25:-9847 >> * Closing connection 0 >> curl: (35) Unknown SSL protocol error in connection to 192.168.1.25:-9847 >> >> stunnel.log: >> 2015.10.09 09:05:42 LOG5[38]: Service [myservice] accepted connection from >> 192.168.1.24:60748 <http://192.168.1.24:60748/> >> 2015.10.09 09:05:42 LOG6[38]: failover: round-robin, starting at entry #1 >> 2015.10.09 09:05:42 LOG6[38]: s_connect: connecting 127.0.0.1:41952 >> <http://127.0.0.1:41952/> >> 2015.10.09 09:05:42 LOG5[38]: s_connect: connected 127.0.0.1:41952 >> <http://127.0.0.1:41952/> >> 2015.10.09 09:05:42 LOG5[38]: Service [myservice] connected remote server >> from 127.0.0.1:50503 <http://127.0.0.1:50503/> >> 2015.10.09 09:05:42 LOG6[38]: SNI: sending servername: localhost >> 2015.10.09 09:05:42 LOG6[38]: Certificate verification disabled >> 2015.10.09 09:05:42 LOG6[38]: Certificate verification disabled >> 2015.10.09 09:05:42 LOG6[38]: SSL connected: new session negotiated >> 2015.10.09 09:05:42 LOG6[38]: Negotiated TLSv1 ciphersuite AES128-SHA >> (128-bit encryption) >> 2015.10.09 09:05:42 LOG6[38]: SSL socket closed (SSL_read) >> 2015.10.09 09:05:42 LOG5[38]: Connection closed: 230 byte(s) sent to SSL, >> 505 byte(s) sent to socket >> >> I am tried verify = 1 to 4, either works. :( >> >> Best Regards, >> Adrian >> >> >> ______________________________________________________ >> powered by Perfect-Privacy.com <http://perfect-privacy.com/> / >> Secure-Mail.biz <http://secure-mail.biz/> - anonymous and secure internet. >> >> >> ______________________________________________________ >> powered by Perfect-Privacy.com <http://perfect-privacy.com/> / >> Secure-Mail.biz <http://secure-mail.biz/> - anonymous and secure internet. >> >> _______________________________________________ >> stunnel-users mailing list >> [email protected] <mailto:[email protected]> >> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users >> <https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users> >> >> >> >> >> _______________________________________________ >> stunnel-users mailing list >> [email protected] <mailto:[email protected]> >> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users >> <https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users> > > _______________________________________________ > stunnel-users mailing list > [email protected] <mailto:[email protected]> > https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users > <https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users> > >
_______________________________________________ stunnel-users mailing list [email protected] https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
